Panda Security: Spin, Lies, and Stupidity

Panda Security Defaced with Message from Anonymous to Sabu, and Panda's Subsequent Denial

Wed Mar 7 17:29:38 CST 2012

After news that the leader of LulzSec, Sabu, was busted and
had been working as an informant to the FBI, commentary flowed freely. Some bloggers,
like Panda Security's Luis Corrons, appeared over eager to denounce LulzSec and Anonymous.
Rather than offer a more rational commentary with speculation, Corrons
opted to insult
Anonymous (site unavailable at time of posting) by claiming that without their leader, they would be relegated to annoying
denial of service at best:

Really good news. I have just read that LulzSec members have been arrested and that their
main head Sabu has been working as an informant for the FBI. It turns out he was arrested
last year, and since then he has been working with Law Enforcement.
As I said, really good news :)
Will this mean the end of Anonymous? No. It will mean the end of LulzSec, but Anonymous
existed before LulzSec and will continue existing. However we probably won't see any more
hacks as the ones LulzSec had been perpetrating, and Anonymous will only use their known
childish tactic of DDoS using their LOIC tool.

Taunting a group like Anonymous, who has a clear history of hacking into networks without
Sabu, is like sticking your penis into a hornet's nest, as Stephen Colbert once said.
It was no surprise to many that shortly after this blog post, Anonymous compromised many
of Panda Security's web sites and posted a message directed toward Sabu
[1]
[2].
A ZDnet
article provides the full list of the 36 web sites that were compromised and replaced
with the message.

Attrition.org was told of one of the sites very shortly after the defacement,
so we tweeted
about it and CC'd @PandaSecurity as a courtesy, in case they weren't aware. Shortly
after, Panda replied to the tweet with a link and said "not our site". The link went to a
Facebook
post which is ironic enough. Claiming that websites on the pandasecurity.com domain
are "not theirs", then using Facebook (also "not theirs") to refudiate the point is as absurd
as it is dangerous:

Panda Security
On March 6th the hacking group LulzSec, part of Anonymous, obtained access to a Panda Security
webserver hosted outside of the Panda Security internal network. This server was used only for
marketing campaigns and to host some of the company's blogs. Neither the main website www.pandasecurity.com
nor www.cloudantivirus.com were affected in the attack. The attack did not breach Panda Security's
internal network and neither source code, update servers nor customer data was accessed. The only
information accessed was related to marketing campaigns such as landing pages and some obsolete
credentials, including supposed credentials for employees that have not been working at Panda
for over five years.
We continue investigating the cause of the intrusion and will provide more details as soon as they
become available. Meanwhile we assure all our customers and partners that none of their information
has been compromised and that our products and services continue functioning as normal.

First, it doesn't matter if it wasn't part of your internal network, it was one of
your web servers. 36 Panda Security owned domains were defaced, and they can only try to
spin and backpedal, rather than focus on the integrity of their web sites (and response to
the public). Claiming that no internal servers were breached that fast shows they are guessing,
not summarizing a sufficient investigation. Second, using terms like "some obsolete credentials"
for the 100+ email accounts stolen does not reassure anyone, as it speaks to the lack of basic security policy being
followed within the company. Third, the defacement said that their flagship Antivirus
product had been backdoored. Panda Security owes it to their customers to perform a diligent
investigation to ensure that did not happen, rather than a quick denial that may or may not
be true.

All around, Panda Security's handling of this incident has been dismal and an insult
to the security community.